thoughts and views on the evolving cloud

ERSPAN on the Nexus 5xxx

In the NX-OS 5.1(3)N1 release for the Nexus 5000 family of switches, Encapsulated Remote Switch Port Analyzer (ERSPAN) was finally added. This is a long standing feature enhancement request to allow for easier capturing of traffic for monitoring and analysis as ERSPAN allows you to statically place a network sniffer in the IP topology without having to relocate the sniffer to the local switch you want to monitor. ERSPAN copies the ingress/egress of a given switch source and creates a GRE tunnel back to a ERSPAN destination. This allows network operators to strategically place their network monitoring gear in a central location of their network as they then can collect historical traffic patterns in great detail. This is a Good Thing(c).

Now, you’re probably irritated that you need a second device to terminate the ERSPAN session (I know I am); however, let’s put this into perspective. You can only have 2 active source SPAN sessions per Nexus 7000 / Nexus 3000 or even Catalyst 6500 chassis. With the inclusion of the Nexus 5000 series for ERSPAN support, you now have more telemetry points within the network. Depending on your access layer deployment, you could actually more points of visibility within your network than you previously did if you’re leveraging the Nexus 5000 switches with Nexus 2000 fabric extenders for rackmount server deployments. Even with all of the VDC slicing and dicing you can do on a Nexus 7000, you’re only allowed 2 SPAN sources per chassis. Period. This got to be very troublesome in some early Nexus deployments as we were leveraging multiple VDC’s. ( I should point out that ACL captures are now supported on the Nexus 7000 as of NX-OS 5.2 ). Now, you can use the Nexus 7000 and Nexus 3000 ( as of NX-OS 5.0(3) U2(2) ) to support up to 23 ERSPAN destinations per chassis.

Side Note: you should use 5.0(3)U2(2b) on the Nexus 3000 because of a nasty memory leak with the monitor process that would cause the switch to crash.

There are however some important caveats to pay attention to:

The Nexus 5500 / 5000 switches ONLY support ERSPAN sources. You can NOT locally terminate an ERSPAN to a Nexus 5500/5000 chassis. The ERSPAN traffic must be sent to a switch capable of supporting ERSPAN sources like the Nexus 7000, 3000 or a Catalyst 6500.